First, i should say that I am relatively new to programming so please be gentle with me if this is a naive or dumb question.
Ok, so I am in the process of writing a small application, part of which will involve hashing user passwords. After researching the best way to do this, md5 appears as a suggestion, almost as many times as it appears in articles criticizing its use.
The alternatives are the likes of SHA-1 etc which are stronger and less likely to be cracked. This makes perfect sense.
To get to the point:
- Why is md5 still widely used for hashing
- Should I automatically discount md5 for hashing passwords, or are there specific use cases where its use would actually be better than other hashing mechanisms?
Neither MD5 nor SHA-1 should be used for hashing passwords. They are designed to be fast to compute, which is exactly what you don't want. If people are using these hashing algorithms for hashing passwords, it's likely because they don't know about alternatives.
Instead you should be using something like bcrypt that is designed specifically for this purpose. It can be configured to be as hard to compute as you need. As computers get faster you can just add more rounds to the computation to make it take longer. This will slow down attackers who get hold of the hashes and try to use brute-force or dictionary based attacks to get the passwords.
Related
For the same reason mysql_* functions are used, most resources and tutorials on the web are outdated with information, causing newbie programmers use them blindly (because the tutorial said so!).
I don't blame the new programmers, I blame the tutorial makers for not updating their tutorials. Google's search algorithm also usually takes age into account, and displays older entries higher in the search result.
As for alternatives, I believe Mark Byers said it better than I can.
Why is md5 still widely used for hashing
It's perfectly fine, if you want to e.g. check a program for validity (md5 your ISO). That some people use it for stuff it shouldn't be used for (anymore) shouldn't be of your concern, and is inanswerable :)
Should I automatically discount it, or are there specific use cases where its use would actually be better than other hashing mechanisms?
Yes. Discount it if you are using it for passwords. You have allready found weaknesses, but see what @markbyers says about what you should use, e.g. bcrypt
Why is md5 still widely used for hashing?
It is not. Even Wordpress abandoned it years ago. And Wordpress is widely used.
Should I automatically discount it, or are there specific use cases where its use would actually be better than other hashing mechanisms?
I have no clue what you mean. Use a hashing algorithm that suitable for password hashing and you should not need to worry much.
MD5 is still reasonably safe to use for most cases[*], so long as you use a good "salt" to mix in with the actual password before it's encrypted.
There is still no known way other than brute force to accomplish a "first pre-image attack" on MD5, i.e. given a hash, figure out what the original password was.
The "salt" mentioned above is necessary to ensure that your encrypted passwords can't be trivially looked up in a "rainbow table" or other existing lists of "string to digest".
The recent Linked-In password leak is a good example of why salt is important. They failed to salt their users' passwords, so many of the passwords were trivially reversed because the hashes of those passwords are already computed (and in many cases found via Google).
What you still shouldn't do though is have the salt itself easily determined. If the attacker can work out what the salt is all bets are off, because then the brute force mechanisms described in the article posted by Florian become available again. A good salt should be long, and you shouldn't use the same salt for every user.
The only true weaknesses so far found in MD5 itself have been ways to produce a new file which manages to result in the same MD5 digest as another file, when you already know the contents of the original file. This is known as a "second pre-image attack", and is irrelevant when considering the use of a hashing algorithm for password encryption.
All that said, if a better algorithm (SHA-2, bcrypt) is available, you might as well use it!
[*] I wouldn't use MD5 for anything relating to eCommerce, though!
来源:https://stackoverflow.com/questions/11168575/why-is-md5-still-widely-used